The GRC Summit 2019 brought together business executives, board directors, GRC practitioners, and industry analysts from around the world to discuss the biggest risks and opportunities facing organizations today. Here are some of the key highlights from the event.


“Perform with Integrity™”

Mikael Hagstroem, President and CEO, MetricStream Successful performance begins with a spark of passion that, when guided by integrity and compassion, helps us improve the human condition, and enable a higher quality of life. Don’t miss this keynote by Mikael Hagstroem as he talks about MetricStream’s mission of integrity, key successes over the past year, and the importance of cultivating a sense of compassion. “Performance without integrity is like momentum without direction.”


The Organization of the Future

Gunjan Sinha, Executive Chairman, MetricStream with Special Guest: Steve Waugh, Baltimore State Senator (2015 – 2018) Looking back at his time in the US Marine Corps and later in the Baltimore state senate, Steve Waugh shares his personal experiences in managing and mitigating risks. Gunjan Sinha, in turn, imagines what the successful organizations of the future will look like. A strong sense of purpose, he predicts, will be a key pillar of success, coupled with a commitment to diversity, inclusion, empowerment of the front line, ethical data, and socially conscious AI. Find out more in this keynote. Watch Now “As GRC professionals, we must evangelize purpose over raw performance and profits.” - Gunjan Sinha Watch Now


New Frontiers in GRC

Tony Scott, Former U.S. Chief Information Officer (2015-17) Pointing out that the future is “software defined everything,” Tony Scott provides a comprehensive perspective on some of the biggest technology priorities in the world today, including security by design, zero trust computing, interoperability, and quantum computing. He also discusses why effective IT governance processes are critical for emerging technologies like AI. “There are three big transformation drivers that we’re going to have to pay attention to in the next five years – relentless digitization; security and privacy; and machine learning and AI.”


Insights from the Board

Jim Quigley, CEO Emeritus, Deloitte and Member of the Board, Audit Committee Chair, Risk Committee and Credit Committee, Wells Fargo & Company Talking about the “known” and “unknown” risks that organizations have to deal with, Jim Quigley emphasizes the need for effective risk frameworks that not only strengthen oversight, but also give board members the confidence that risk-taking activities are well within the established risk appetites. He goes on to highlight why risk culture, particularly in the front line, has a tremendous impact on business performance.


New Advances in GRC Technology

Andreas Diggelmann, Executive Vice President and Chief Technology Officer, MetricStream Vidyadhar Phalke, Chief Innovation and Cloud Officer, MetricStream Watch this joint keynote to learn how MetricStream is collaborating and co-innovating with customers and partners to leverage emerging technologies like AI, machine learning, robotic process automation, and natural language processing in GRC. These new innovations will allow organizations to embed GRC as deeply in their businesses as ERP systems are today, the speakers note. Watch Now “Anytime there was a failure in financial reporting in the past, the question asked was ‘Where were the auditors?’ Today, stakeholders are asking ‘Where was the board? Where were the risk committee, the chief risk officer, the chief compliance officer, and their respective teams?” Watch Now “New technology opportunities are presenting themselves across the whole chain of GRC, from the first mile to the last mile.” - Andreas Diggelmann Watch Now KEYNOTES


2019 The Known Unknowns: Customer Insights and Trends

Gaurav Kapoor, Chief Operating Officer, MetricStream Drawing from conversations with customers over the past year, Gaurav Kapoor talks about the five key trends that are changing the way we do GRC – (1) disruption, (2) data harmonization, (3) crowdsourcing and front-line empowerment, (4) risk foresight, and (5) agility. Watch this presentation to learn how GRC functions can effectively manage and respond to these trends.


AI Ethics and SustainabilityAvoiding Unintended Pitfalls

Anna Felländer, Co-founder of the AI Sustainability Center AI may have tremendous potential to improve the quality of human life, but it also poses significant ethical risks with grave consequences. What are some of these risks? How do we ensure that we’re investing as much in the humanistic side of AI as the engineering side? How do we shape a future where humans lead AI, not the other way around? Watch this keynote to find out. “Agility is as important as stability now. In a world where disruption is the only constant, GRC has to be adaptable.” Watch Now “We shouldn’t be asking ‘What can AI do?’ We should be asking ‘What should AI do?’” Watch Now KEYNOTES


As part of the summit, 30 chief risk officers, chief audit executives, chief compliance officers, and chief information security officers took time out to participate in MetricStream’s inaugural CXO roundtable. The group shared their insights and experiences on three key topics: cyber risk management, integrated risk management, and the future of internal audit. Some of the areas that were discussed included:

• How to define critical assets, and prioritize cyber risk investments

• Why relevance-oriented decisions in cyber risk management are replacing probability-based decisions

• How integrated risk management programs are evolving with new technologies like AI

• How to get the first line more involved in risk management

• How digitization is transforming internal audit teams, tools, and processes Discover more about the key takeaways from the roundtable in this white paper.




Building a High-Performance Enterprise Powered by Integrity

Jim Quigley, CEO Emeritus, Deloitte and Member of the Board, Audit Committee Chair, Risk Committee and Credit Committee, Wells Fargo & Company John Forlines, Chief Risk Officer, Fannie Mae William Onuwa, Chief Audit Executive, Royal Bank of Canada The days of looking at performance as the be-all and end-all of success have gone. Today, it’s no longer just about what you deliver, but how you deliver it. Integrity is key to trust, and trust is key to success. But how do you build integrity as a core competency? How do you make it a repeatable and reliable practice? Find out in this panel.


The Platform Advantage: Enabling Agility, Scalability, and Innovation

Tony Scott, U.S. Chief Information Officer (2015–2017) Michael Cover, Director, Blue Cross Blue Shield of Michigan Sanjay Sinha, Chief Marketing Officer, MetricStream Moderated by: Andreas Diggelmann, Chief Technology Officer, MetricStream Don’t miss this in-depth discussion on the notion of a platform -- including its benefits and pitfalls, how to communicate its value to the business, and how to roll it out in an optimal manner. Learn about key best practices such as designing a blueprint for platform implementation, staying “as out of the box as possible,” and ensuring that each piece of the platform is demoed and verified. “The best companies will be those that have a culture of integrity ingrained in everything they do.” -John Forlines Watch Now If you don’t have a common platform, you’re just going to be slow. And in today’s world, slow is tantamount to death.” -Tony Scott Watch Now


Emerging Risks: Managing the Velocity of a Changing Risk Environment

Alessia Falsarone, Managing Director, Pinebridge Investments“We need to do a better job Alex Gacheche, Director - Model Risk Governance, Freddie Mac William Mennonna, Chief Risk Officer, PNC Capital Advisorsof quantifying non-financial Nick Theodorakos, Director - Financial Risk, TD Ameritraderisk – for example, Moderated by: Anthony Bria, Director, MetricStreamreputational risk.” -Alex Gacheche As banking environments and models evolve, new risks are rapidly emerging. How should enterprise risk management (ERM) frameworks and processes evolve? What are the key building blocks of a good ERM program? Why should risk managers be considered a strategic business function? This panel seeks to answer these questions. Watch Now “Flex, not break – that’s a good way to think about an operational resilience program.” -Anna Mazzone


The Role of Operational Risk Management in Improving Resilience

Anna Mazzone, Managing Director and General Manager, UK and Ireland, MetricStream Peter Bannister – SVP for GRC, MetricStream Susan Palm, SVP – Customer Success and Engagement, MetricStream Victoria Muñoz-Titos, GRC Advisory, MetricStream Noting that operational disruptions are on the rise, the panelists at this session talk about the need to move away from siloed operational risk management processes, to a more integrated approach – one that focuses on mapping critical business services end-to-end, while also linking risk to strategic objectives. These and other insightful findings all in this discussion. Watch Now PANEL



The Value of Assessing Compliance Risks in Your Compliance Program: Key Learnings and Best Practices Ileana Canlas, Head of Compliance & Internal Audit, CAE USA Inc. Jerry Storey, MD – Regulatory Affairs & Compliance, FedEx Logistics Liza Abad, Head of Enterprise Risk - North America, Paysafe Group Melissa A. Borrelli, Sr Manager – Compliance, Mazars USA LLP Moderated by: Ed Park, Regional Vice President – GRC Solutions, MetricStream With a range of perspectives from defense, logistics, healthcare, and payments, this panel provides an engaging look at how compliance risk management is evolving to drive business performance. Watch the discussion for insights on managing regulatory change, developing a forward-looking approach to risk management, and strengthening collaboration across the lines of defense.


Cybersecurity Trends and Their Impact in 2019 and Beyond

Brent Houlahan, Chief Security Architect, Unisys Garrett Smiley, CISO & VP of Information Security, Serco, Inc. Gavin Anthony Grounds, Executive Director, Information Risk Management & Cyber Security Strategy, Verizon Moderated by Vibhav Agarwal, Director – Strategic Initiatives, MetricStream In an age of rapidly evolving cyber threats, basic change control and configuration management are just as important today as they have always been, notes this panel of cybersecurity experts. Listen to the discussion to find out how the risk landscape is changing, why security needs to be embedded in the product lifecycle right from the ideation stage, and how to build a pervasive culture of security. “If we want our businesses to remain profitable, we have to assess the risks we’re not thinking about, the ones we may not know of, those known unknowns and the unknown unknowns.” -Jerry Storey Watch Now “When it comes to culture, the best thing we can do is to be better communicators of the value of security and how it directly benefits the people we’re talking to.” -Garrett Smiley Watch Now




Convergence of Cyber Risk Management with ORM

Jakub Petersson, Director Enterprise Risk Management, CNO Financial Group Jessey Abraham, VP - Technology Risk & Compliance Officer, Federal Home Loan Bank of New York Garrett Smiley, CISO & VP of Information Security, Serco, Inc. Moderated by: Rohit Bedi, EVP, Partnerships and Alliances, MetricStream Cybersecurity needs to be integrated with risk management in such a way that people receive all the intelligence they need to respond proactively to threats. Find out more in this panel which explores some of the top cyber risks facing organizations, changing perspectives on the lines of defense, and the importance of establishing common risk taxonomies.


How We Are Delivering the Value Promise of Integrated GRC

Lynda Witter, Senior Audit Manager, BMO Melissa A. Borrelli, Sr. Manager – Compliance, Mazars USA LLP Susan DeSantis, Managing Director - Chief Compliance Officer, DTCC Moderated by Susan Palm, SVP – Customer Success and Engagement, MetricStream The GRC veterans on this panel look back on their GRC journeys, and share some of the challenges, pitfalls, and successes encountered. They also talk about the lessons learned, including the importance of aligning GRC with the business, getting buy-in from the beginning, and bridging gaps across the three lines of defense. “For IT risk management to be successful, we need to translate risks like phishing vulnerabilities into their business impact through all the different levels of the organization, right up to the board.” -Jessey Abraham Watch Now “Build relationships with the departments that you’re going to be working with on a regular basis when implementing a GRC software program.” -Melissa A. Borrelli Watch Now




Brandageddon – How to Protect Your Reputation through Risk Management

Renee Murphy, Principal Analyst, Forrester Research Reputation factors heighten the impact and probability of every risk type. And in the age of the customer, reputation is more important than ever. Millennials expect corporations to stay true to their brand promise – to demonstrate integrity and ethics in everything they do. So, how should companies be responding? Renee Murphy shares her insights. Watch Now “If you’re not agile in monitoring themes, things are going to fail and break.”

The Rise of Agile GRC

Michael Rasmussen, Chief GRC Pundit, GRC 20/20 Using the analogy of the Titanic, Michael Rasmussen cautions organizations against becoming complacent or over-confident in their GRC activities. The disruptive, dynamic nature of business demands that GRC be agile, he notes. Just as important, GRC needs to be integrated and collaborative to truly add value in an interconnected environment. Find out more in this analyst presentation. Watch Now




Instilling a Culture of Integrity: Practical Tips and Strategies

Philip Aquilino, EVP, Head of Regulatory Relationships & Government Affairs, TD Bank Over the past 10 years, the global banking industry has paid in excess of $450 billion for conduct related matters. The best mitigant for these risks? A healthy culture. In this insightful presentation, Philip Aquilino talks about why culture is so important, and how to foster and measure it through practical strategies. “Culture requires constant effort, emphasis, and recognition that it is not static.”


Reporting Compliance Metrics that Matter to the Management and Board

Marina Adams, Compliance Officer & AVP, Federal Reserve Bank of New York As a regulated institution, you’d better know your risks, or you will not be deemed sound and safe, notes Marina Adams. How does one determine the appropriate risk metrics for compliance? What are the attributes of an effective compliance risk assessment? What should a compliance risk register look like? Watch this expert talk to find out. Watch Now “A comprehensive risk assessment is the cornerstone of an effective compliance program. You cannot manage what you do not know.” Watch Now


Building a Proactive Compliance Program by Enabling the First Line of Defense

Russ Walsh, Principal Regulatory Compliance Advisor, GE Drawing on his experience with leading enterprise software companies, Russ Walsh highlights the importance of security and privacy by design, noting, “You really want to avoid technical debt.” He also outlines several best practices for security compliance such as how to choose the right auditors, and how to decide which security standards to comply with. Don’t miss this engaging presentation. “We have to think about security in release 1, not in release 1.7... Unfortunately, in many companies we release cloud software where we don’t bake security in from the start.”


7 Predictions for the Successful Future of Internal Audit

Raven Catlin, Former CAE and Industry Expert in Internal Audit and Risk Management We must move out of the stone age and into the new age, says Raven Catlin as she talks about the need for internal audit to embrace change – be it in the form of new tools, new skills, or new approaches to auditing. Watch her insightful presentation on the key trends and predictions that auditors need to be paying attention to as they look for innovative ways to add value to the business.


The Future of Audit and Risk Management

Peter Kenow, Audit Director – Data Innovation & Analytics, Wells Fargo Audit Services Comparing the fates of Blockbuster and Netflix, Peter Kenow explores why innovation and transformation are so important, particularly for audit and risk management. All three lines of defense need to embrace and participate in transformation, he notes, because technology is more powerful than ever, data is more available than ever, and talent is better than ever. Find out more in this expert talk. Watch Now “We still need to get better at identifying and understanding risks and more importantly, truly doing risk-based auditing.” Watch Now “We transform audit through innovation and optimization. How do we do that? By being continuous, complete, and collaborative.” Watch Now EXPERT TALKS15


Information Risk Management - Risk as a New Currency

Gavin Anthony Grounds, Executive Director, Information Risk Management & Cyber Security Strategy, Verizon Traditional cyber risk conversations tend to focus mainly on risk impact and likelihood. But to really add value, we need to be able to clearly quantify and interpret cyber risk in terms of its business and fiscal impact. How do we do that effectively? Is it possible to manage cyber risk as “currency”? And what are the benefits of doing so? Gavin Anthony Grounds provides his expert insights. “Cyber risk today has tangible revenue, margin, and shareholder impact ... We literally can calculate the number. The question is, do we?”


Utilizing your Resiliency Program as an Operational Risk Service Provider

Scott Baldwin, Director - Enterprise Resiliency, Symantec Today’s public expects 24/7, uninterrupted access to goods and services. They will not wait long for a company to recover from a disruption. Therefore, businesses must be able to build their resilience and agility. Find out how in this expert talk by Scott Baldwin who emphasizes the need to approach business continuity and disaster recovery from a risk lens.


Business Continuity in GRC

Michael C. Redmond, Director, IT & GRC Consultant and Auditor, EFPR Group Using multiple real-life anecdotes from her experience as a business continuity specialist, Michael C. Redmond provides an in-depth look at the key factors, hurdles, and recommendations that organizations need to keep in mind when putting together a business continuity and disaster recovery program. Watch Now “Working within a risk framework will allow for the proactive identification and mitigation of risks before they become impacts. This is the perception that must be highlighted.” Watch Now “People do risk assessments too quickly. If your assessment took you less than three months, and you’re a large corporation, go back and start over.” Watch Now EXPERT TALKS16



Understanding the Challenge of Change Blue Cross Blue Shield of Michigan Michael Cover, Director, Blue Cross Blue Shield of Michigan Michael Cover takes us through BCBS’s journey from decentralized GRC processes and siloed tools, to an integrated, centralized GRC platform. Get an inside look at how Michigan’s largest health insurer successfully implemented GRC. Also, understand the guiding principles, change drivers, and pitfalls to look out for on your own GRC journeys. “You can really only achieve true integration when you align your goals to those of your business partners.” Watch Now


Improving User Experience - TCF Bank

Knute Ohman, VP - GRC Program Manager, TCF Bank Knute Ohman discusses practical steps that organizations can take to promote a high level of user adoption around GRC solutions and methodologies. Discover why it’s essential to perform user observations and to act quickly when encountering negative perceptions about the tool. Learn also about quick wins for adoption, be it modifying standard reports or configuring info centers.


Our Journey Towards Integrated GRC - First Citizens Bank

Akhenaton Marcano, Head, Operational Risk and Controls, First Citizens Bank Akhenaton Marcano discusses how a rapidly growing financial services institution like First Citizens Bank is realizing their vision of integrating business continuity, operational risk management, compliance, policy management, and internal audit on a single GRC platform. Learn about the typical challenges faced, GRC roadmaps, business benefits realized, and key learnings. “Even a perfectly designed GRC methodology and application can be brought to its knees by low or poor user adoption.” Watch Now “Always remember that the whole is greater than the sum of its parts. You have to think about cross-functional use cases and integration.” Watch Now 17


Ready to get started?

Speak to our experts Let’s talk